This is an online log of my Slackware experiences. Be aware that I'm also using this blog to cover basic and intermediate security issues that may not pertain to Slackware. This is my way of consolidating blogs (I've several of them).

Pages

Tuesday, July 02, 2013

I haven't checked my firewall logs in awhile, so I decided to do a very quick assessment.

I immediately noticed a pattern of inbound hosts attempting to communicate on source port 80, which is weird, as that's not typically a normal port for non-webservers to communicate on. Web clients typically communicate on destination port 80 unless it's the web server responding to a previous HTTP request (to a client). That's not the case here. These connection attempts are being initiated at source port, by IPs not normally affiliated with my server.

Almost half of the logged traffic is trying to communicate on source port 80 (of 486 log entries, 218 are source port 80). The traffic is being blocked by the firewall, and what I'm seeing is initiation attempts. This traffic isn't a huge issue, but I'm curious as to what's going on. I've commented on such traffic before, but the amount I'm seeing now is far more than what I'm used to seeing.

I think I'll capture some traffic to try to see what's going on.

EDIT: nothing much captured so far. After some sniffing and tinkering, I had to filter some IPs out - two IPs belong to my server and the other belongs to Ubuntu):

UPDATE: I let a pcap capture run overnight and when I checked the process, I got 999 hits. In looking at the pcap, I saw that I'd missed a few Ubuntu server IPs that my sercer was polling (for OS updates). I filtered those out and got 22 hits:

Someone is scanning my server and purposely using source port 80 when attempting deliberate (and distributed) scans. If I had the balls to run a honeypot, I could probably gain a better understanding of what type of scans are being conducted.